How to track down which publication sends user-related data?

I am using fastrender to speed up startup times. One user of my app recently complained that sensitive information can be found in the source code of each page. I first could not believe that but then found out that the e-mail address is included in fastrender`s injected data.

Since I was sure I wasn’t publishing this part of the user document myself, I tried to track down which publication was responsible for publishing the e-mail address. I found out that okgrow:analytics has a pub that publishes all e-mails it can get to the client, including those of social networks.

I disabled the package and some of the data injected for okgrow:analytics went away. But still, the emails portion of the user document can be found in the injected code. I could not find any other publication causing this.

Is there a way to track down data that has been sent to the client, e.g. by inspecting the LiveData data structures?

Edit: I now found the real “culprit” for the emails publication:

Does anybody know why Meteor discloses the email to the client?

I also found this article: Obviously, the fact that FastRender auto-injects user data was meant as a “feature”.

(Still wondering how I could detect such a publication quicker, so I leave the question open.)

The publication for the logged in user publishes their email. Since it’s their email address and it’s only published to them it’s assumed not to be sensitive.

1 Like

As far as tracking which publication, I’m not currently aware of any way to accomplish this.

1 Like